I recently got asked how we can disable old TLS versions on a server. The user was applying for a PCI compliance and wanted to have only TLS 1.2 running on their machine in order to pass the scan of the PCI vendor.
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
Before you start, please keep in mind that you can always run into some issues and it’s really important to make a working copy of your configuration files or to do a full server/droplet backup before you start the process. In this way you can always restore your config files or the whole droplet in case something goes wrong.
If you’re running Apache server you will need to tweak the Apache/httpd configuration file in order to disable TLS 1.0 and 1.1
One thing to keep on mind is that if you have any control panel interface/gui like cPanel/Plesk you must tweak the configuration file from the control panel or the changes will be reverted.
If you don’t have any control panel running on the server you can make the change manually in the httpd configuration file. The location of the file should be:
and you might have a symlink here:
You can open the httpd configuration file with your favorite text editor, so you can use vi, vim or nano it’s totally up to you.
You need to locate the following lines/rows:
The first one is for the SSL Cipher Suite and the second one for the actual protocol. In order to set only TLS 1.2 to be active you can copy/paste the following lines:
You can double check the available cipher suites using this link:
https://wiki.mozilla.org/Security/Server_Side_TLS
For TLS 1.3 you can use:
Now that server configured. It is time to test our apache config server for syntax errors:
Reload or restart the apache server:
OR
==============================================================
If you’re running a Ubuntu 18.04 server you should be able to tweak the Apache configuration by following this steps:
You can open the Apache config file using any text editor and then look for the following lines/rows:
The file should be located here:
/etc/apache2/mods-available/ssl.conf
In order to leave only TLS 1.2 active you can use the following:
If you’re using Let’s Encrypt you need to edit the following file:
And put the following as code:
Now that server configured. It is time to test our apache config server for syntax errors:
Reload or restart the apache server:
OR
This should make only TLS 1.2 availble.
============================================= 3. For tweaking the TLS configuration on Nginx () follow this:
Open the nginx configuration file:
Insert the following code snippet:
Now that server configured. It is time to test our nginx config server for syntax errors:
Reload or restart the nginx server:
OR
In order to test if everything is okay and only TLS 1.2 is available you can use either nmap or openssl
Example namp command:
Example openssl command:
Hope this helps!
Please feel free to comment bellow if you use a different way/method to configure this!
Regards, Alex
May also need to edit
/etc/letsencrypt/options-ssl-nginx.conf
(apart from/etc/nginx/nginx.conf
) per https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-18-04?comment=85617This question was answered by @duvax:
View the original comment